I use this option
-U Rather than requiring the authentication principal be given on the command line, read it from the keytab specified with -f. The principal will be taken from the first entry in the keytab. -f must be specified if this option is used.
so my systemd-file, to start k5start, looks like this: ------------ [Unit] Description=k5start for generating tickets for ldap main-db replication After=syslog.target network.target
[Service] StartLimitInterval=5 StartLimitBurst=10 ExecStart=/usr/bin/k5start -k /tmp/krb5ccm_11 -m 600 -o openldap -g openldap -U -f /opt/symas/etc/openldap/krepl-main.keytab -K 10 -l 10h Restart=always RestartSec=120
[Install] WantedBy=multi-user.target
-----------
Am 21.02.25 um 23:42 schrieb Quanah Gibson-Mount:
--On Friday, February 21, 2025 9:25 PM +0100 Stefan Kania <stefan@kania- online.de> wrote:
With k5start you can create different ticket caches. I managed to get it working today I use: authcid = user@MY.REALM
Maybe it would be a good idea to put an example into the manpage for the two options authcid and authzid.
Yeah I know all about k5start, I used to work with Russ.
My question was more how does slapd know which one to use... I always had to set the k5 ticket cache in the environment before starting slapd. Would love to see an example :)
--Quanah